Overview

overview

10

Static

static

3

cba8754ae5...8c.exe

windows7-x64

10

cba8754ae5...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 04:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe

  • Size

    908KB

  • MD5

    b4a1a136d4f08945c12f170963337a25

  • SHA1

    0635813b35f5a9698d36ce74afacfdf79bba2a69

  • SHA256

    cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c

  • SHA512

    ab207b9fbcd4ebe47aeee598fc9ca8871b6ce3ebc28c31e065577a25cda65ceeb9bc3931204f26a7561c1b3c570852edf01a4fa96eb5c8d0bc835eb6bd46460c

  • SSDEEP

    12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRJ:QwqN0gi+TCUQvHEFXH

Score
10/10
imminentdiscoverypersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Imminent family
    imminent
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe
    "C:\Users\Admin\AppData\Local\Temp\cba8754ae5785da5d3da05cd5fb3d52b77729c64ddb86cd0c79831b8ad75a28c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Users\Admin\AppData\Roaming\model\print.exe
      "C:\Users\Admin\AppData\Roaming\model\print.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4412
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3632

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      65.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      65.139.73.23.in-addr.arpa
      IN PTR
      Response
      65.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-65deploystaticakamaitechnologiescom
    • flag-us
      DNS
      72.208.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.208.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    • flag-us
      DNS
      doddyfire.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      doddyfire.dyndns.org
      IN A
      Response
    No results found
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      65.139.73.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      65.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      72.208.201.84.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      72.208.201.84.in-addr.arpa

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    • 8.8.8.8:53
      doddyfire.dyndns.org
      dns
      RegAsm.exe
      66 B
       117 B
       1
      1

      DNS Request

      doddyfire.dyndns.org

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\model\print.exe
      Filesize

      908KB

      MD5

      00de75462ef6c796ab9e1ca61f6c3f7f

      SHA1

      519015401626f5e4ed4cec040cecf70ef03ff472

      SHA256

      b4ecabc4a8c1459d0e24a1b302ce06974c7f9ad7ee1d267755b17b3a31eeab23

      SHA512

      f329cb011570aeebbbcbbf86f5db5b7e370b373ed52a55f038e81b784c60f2f55bc4a65e1954e40fcd68d9792b3a0db0f9b393423dcdd81abc1d902d48cf2267

      Download Submit

    • memory/804-23-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/804-1-0x0000000000CC0000-0x0000000000D9E000-memory.dmp

      Filesize

      888KB

      Download

    • memory/804-2-0x0000000005DB0000-0x0000000006354000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/804-3-0x0000000005800000-0x0000000005892000-memory.dmp

      Filesize

      584KB

      Download

    • memory/804-4-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/804-5-0x00000000057A0000-0x00000000057AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/804-6-0x0000000005790000-0x0000000005798000-memory.dmp

      Filesize

      32KB

      Download

    • memory/804-7-0x000000007461E000-0x000000007461F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/804-8-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/804-0-0x000000007461E000-0x000000007461F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2236-26-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2236-30-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2236-25-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2236-22-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2236-27-0x0000000005ED0000-0x0000000005F28000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2236-24-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4412-33-0x0000000000F40000-0x0000000000F50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4412-31-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4412-32-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4412-28-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4412-34-0x00000000051F0000-0x000000000529E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4412-35-0x0000000002A30000-0x0000000002A58000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4412-36-0x000000000A900000-0x000000000A99C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4412-37-0x00000000058D0000-0x0000000005936000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4412-38-0x0000000005CD0000-0x0000000005CE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4412-39-0x0000000005D30000-0x0000000005D46000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4412-45-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4412-46-0x0000000074610000-0x0000000074DC0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.